Security at Onpilot

• Encrypted in transit: All data moves over encrypted connections (TLS 1.2+). HTTPS is enforced everywhere.
• Encrypted at rest: Databases and stored files use AES-256 encryption. Backups are encrypted separately.
• Key management: Encryption keys are kept in a dedicated secrets vault with strict lifecycle policies — never in source code.

• Least privilege: Employees and systems are granted only the minimum permissions required for their role.
• Two-factor sign-in: Required for every team member accessing production systems and admin tools.
• Role-based access: Access to sensitive data is governed by clearly defined roles, with regular reviews.
• Secret storage: All integration credentials, API keys, and other secrets live in an encrypted vault, never in code.

• Cloud hosting: Services run on AWS with enterprise-grade physical security, SOC 1/2/3, ISO 27001, and PCI DSS certifications.
• DDoS & WAF: Cloudflare provides DDoS protection, Web Application Firewall, and rate limiting at the edge.
• Network segmentation: Production, staging, and development environments are isolated with strict firewall rules.
• Immutable deployments: Containerized workloads with infrastructure-as-code minimize configuration drift.

• Secure SDLC: All code changes go through peer review via pull requests. Direct pushes to production branches are prohibited.
• Input validation: All external inputs are validated and sanitized at system boundaries.
• Dependency scanning: Automated tools monitor dependencies for known vulnerabilities with timely patching.
• Penetration testing: Regular pen tests through qualified third parties with prompt remediation.

• Real-time monitoring: All production systems are monitored for availability, performance, and security anomalies.
• Centralized logging: Application and infrastructure logs are aggregated centrally with tamper-evident storage.
• Audit trails: All administrative actions and data access events are logged for accountability and compliance.

• GDPR: Working toward full compliance with the EU General Data Protection Regulation. See our Privacy Policy and DPA.
• PIPEDA (Canada): Working toward compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
• Data residency: Primary storage in AWS us-east-1 (N. Virginia). Enterprise customers can discuss specific residency requirements.

We maintain a documented incident response plan:

• Detection: Incidents are identified through automated monitoring and classified by severity.
• Response: On-call team investigates and contains incidents promptly with immediate escalation for critical issues.
• Notification: Affected customers are notified within 72 hours of a confirmed data breach per GDPR requirements.
• Post-mortem: Every significant incident undergoes a blameless review with documented learnings and remediation.

We welcome security researchers who help keep our platform safe. If you discover a vulnerability:

• Email info@onpilot.ai with a detailed description and reproduction steps.
• Allow at least 90 days for resolution before public disclosure.
• Do not access, modify, or delete data belonging to other users.

We acknowledge reports within 3 business days and will not pursue legal action against researchers acting in good faith.

• Security: info@onpilot.ai
• Privacy: info@onpilot.ai
• Company: Onpilot AI
• Address: Toronto, Ontario, Canada